Meraki

Community

One or more of your Meraki devices are unable to communicate with this new IP range

Uberseehandel
Kind of a big deal
‎Jul 15 2019 8:36 AM
‎Jul 15 2019 8:36 AM

One or more of your Meraki devices are unable to communicate with this new IP range

I receive the message. What am I supposed to do? I'm not Mystic Meg

 

MysticMeg.jpg

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
0 Kudos
8 Replies 8
ww
Kind of a big deal
Kind of a big deal
‎Jul 15 2019 9:18 AM
‎Jul 15 2019 9:18 AM

you need to allow communication from your meraki device to that ip range. there is probably a firewall or acl that is now blocking this

0 Kudos
SoCalRacer
Kind of a big deal
‎Jul 15 2019 9:20 AM
‎Jul 15 2019 9:20 AM

If nothing has changed on your end, it sounds like your ISP might be blocking the new IPs or ports. Sometimes these things are fixed by the provider relatively soon on their own. Sometimes they are not so quick and need a call to help get it resolved. I would start with your MX or Z device and work on getting that to show connected to the Meraki cloud first.

0 Kudos
In response to SoCalRacer
Uberseehandel
Kind of a big deal
‎Jul 15 2019 10:45 AM
‎Jul 15 2019 10:45 AM

@ww 

@SoCalRacer 

 

I am adding the specified L3 outbound firewall rules.

It seems very long winded.

 

It would help if we were able to use Firewall Rule Groups, the source IPs don't change and the destinations are largely similar, we could use Source Groups, Destination Groups and Port Groups and classify them into inbound and outbound, setting protocols and descriptions for each rule the Groups are applied to.

 

So could I achieve the same ends by the use of policies?

 

As this is, in large part, a Meraki Cloud issue, I can't help feeling this is down to Meraki. This could be more simply solved by sending an email listing the rules they want to active, and asking for permission.

 

I am also puzzled, why do all the local networks have to be entered? Network devices are all on the Management VLAN.

 

By design the default 192.168.1.0/24 LAN goes no where, it does not get uplinked. Is Meraki making use of this? Is this an oversight, it would certainly be described as flying in the face of conventional wisdom.

 

As the MX sits behind another security appliance, and when at home, the Z3C is attached to the MX, this is going to be a very tedious process. Fortunately, Group Policies for Firewall configuration are available on the other security appliance.

 

As Henry V said, "Once more unto the breach"

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
0 Kudos
In response to Uberseehandel
ww
Kind of a big deal
Kind of a big deal
‎Jul 15 2019 10:52 AM
‎Jul 15 2019 10:52 AM

only the source networks where your management ip(s) are in would be sufficient.

0 Kudos
In response to ww
Uberseehandel
Kind of a big deal
‎Jul 15 2019 11:19 AM
‎Jul 15 2019 11:19 AM

@ww wrote:

only the source networks where your management ip(s) are in would be sufficient.

That is what I would think, BUT, if that is so, why are Meraki asking for all local networks to be added?

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
0 Kudos
In response to Uberseehandel
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 15 2019 2:18 PM
‎Jul 15 2019 2:18 PM

A lot of these warnings are false positives.  You get them even if their is nothing wrong.  So chances are you don't have anything to do.

We've had so many of them over the years with customer that have their Internet circuit plugged directly into their MX, so there is nothing blocking the traffic.

 

Failing that if you know you are restricting access you can check the Help/Firewall rules in the dashboard to verify you have let everything through that is needed.

0 Kudos
In response to PhilipDAth
MerakiDave
Meraki Employee
Meraki Employee
‎Jul 15 2019 7:25 PM
‎Jul 15 2019 7:25 PM

I would also open a case, recently I've seen some issues with some of the 209.206 addresses, and Meraki Support can see the individual firewall tests being made from each piece of equipment, and they may find that some are succeeding and some are not, so it's enough to keep all of the equipment up and online in Dashboard but also enough to generate warning banners.  I saw this recently in my home lab network.  It was nothing to worry about actually, but worth reporting to Support to assist with tracking and resolving the issue, which I believe is a back-end issue.

 

0 Kudos
In response to MerakiDave
Uberseehandel
Kind of a big deal
‎Jul 15 2019 11:34 PM
‎Jul 15 2019 11:34 PM

@MerakiDave 

@PhilipDAth 

 

I will open a case.

 

After some poking around, it appears that the VPN Status page, on both the MX and the Z3C, variably shows the VPN Registry as Connected, Partially Connected, or Not Connected (to the X3Z), while the devices remain wired. When the Z3C is switched over to its LTE modem (aka yank the Ethernet cable), the connection remains in place but the Status pages on the two devices are not uniformly upgraded.

 

It appears that there is a possibility that the inconsistent reporting of VPN Status across the two devices may be the cause of a false positive being triggered.

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.